Today, many services are available on cryptographic processing systems, such as terminals for example. Access to some of these services can sometimes be protected by a sensitive data item such as a password or a cryptographic key, notably when these services involve sensitive information, such as banking details for example.
The storage of such sensitive data is generally required with a view to a subsequent authentication or decryption of encrypted information. Ideally, these sensitive data items would have to be stored in a secure memory of the terminal in order to avoid them being hijacked, by a malicious application for example.
However, many terminals do not have enough space inside a secure memory to store such sensitive data items, or quite simply do not contain such a memory. It can therefore be easy for an attacker to recover these sensitive data items from a non-secure memory and use them to obtain the sensitive information used by the corresponding services.
To complicate attacks by automatic systems, it is desirable to avoid handling the password P directly outside of any possible prior configuration step, for example by using a hash value C of this password, obtained for example during this configuration step using a cryptographic function F. For example, C=F(P, R) where R is any value, random for example.
Such a technique is known from document US 2011/0296509, which proposes a solution based on a challenge-response of CAPTCHA (“Completely Automated Public Turing test to tell Computers and Humans Apart”) type making it possible to automatically tell a human user and a computer apart. The proposed solution relies on the storage in a database of the value R and of a CAPTCHA-challenge ChallR to which R is the response. In particular, it involves using a response R′ from the user to the CAPTCHA-challenge ChallR that is submitted to him, for computing C′=F(R′, P′), the password P′ also being entered by the user. C′ is then compared to C=F(P, R) computed by a server based on the memorized value R and on the password P, in order to verify the match between P′ and P.
A current technique for preventing an attacker from easily finding the password P consists in storing it, not directly as in the system of US 2011/0296509, but indirectly via the value C=F(P, R), accompanied by the corresponding value R.
Nonetheless, brute force attacks are known consisting in recovering C=F(P, R) and R memorized in a system, then in automatically testing all the different possible passwords P.
Generally, passwords P are of limited complexity. For example a PIN code encoded on 4 bits only represents 104 possibilities to test.
An attacker can therefore quickly work backwards to P and to any sensitive information it protects.